Cryptographic Keys 101: What They Are & How They Secure Data
1 Star2 Stars3 Stars4 Stars5 Stars (3 votes, average: 5.00 out of 5)

Cryptographic Keys 101: What They Are & How They Secure Data

Compromised cryptographic keys have a devastating effect on any organization — just ask the major Android device manufacturers whose keys were used to distribute malware. Here’s what to know about cryptographic keys, how they work, and how to keep yours secure.

Encryption secures everything from the credit card transactions you use to buy items online to the health information you share with your doctor. It’s an intricate system that relies on cryptographic keys to help keep that information secure.

But what are cryptographic keys, and how do we use them? We’ll explore the roles of cryptographic keys in modern communications and what you can do to secure them.

Let’s hash it out.

What Is a Cryptographic Key? A 90-Second Overview of Cryptographic Keys

A cryptographic key is a string of characters (often random or mathematically generated) that’s paired with a cryptographic algorithm to secure data. Algorithms are mathematical formulas that carry out multiple important cryptographic functions. Two of the most common functions involving cryptographic keys are data encryption and decryption:

  • Encryption uses a cryptographic key to scramble plaintext (readable) data into unreadable gibberish (called ciphertext). This protects the data’s confidentiality from prying eyes.
  • Decryption enables a person with the correct cryptographic key to recalculate the original data from the gibberish ciphertext. This way, they — and only they — can read the message.
A basic illustration that showcases how data encryption works.

When a secret cryptographic key gets exposed or compromised, it means that whatever it’s used to secure is now at risk of compromise.

Throughout nearly the last nearly 4,000 years of human history, there’ve been many instances of using cryptographic keys to communicate secret information. This includes everything from ancient Egyptian tomb inscriptions to activities associated with the United Kingdom’s Government Communications Headquarters (GCHQ) after World War I. One of the best-known (and simplest) examples of cryptographic key applications is the Caesar Shift Cipher. This basic substitution cipher “shifts” the alphabet by a set number of spaces (e.g., A becomes D, and N becomes P). In this case, the “key” would be knowing how many spaces to shift to decrypt the message.

A common example of encryption can be seen when you log in to your favorite website. If you see the secure padlock icon (pictured below), it means that you’re accessing a site that’s secured with public key cryptography using SSL/TLS. (We’ll speak more about that later in the article.)

Image caption: A screenshot of the security padlock icon that displays when you visit in Google Chrome.

NOTE: This trusted little padlock icon will be going away in Google Chrome, starting with Chrome 117 that’s estimated to launch in September 2023, according to a recent update by the Google Chrome Security Team. Instead, the browser will display a “tune” icon that users can click on for information.

Cryptographic Keys Are Lumped Into Two General Categories: Symmetric and Asymmetric

Different methods of cryptography involve the use of one or two cryptographic keys. Let’s explore them both before we dive into their uses.

Symmetric Keys = A Single Private Key That Decrypts and Decrypts Data

A graphic element that describes a symmetric key

Symmetric encryption uses a single key, known as a symmetric key. Both the sender and the recipient need to have a copy of the key to encrypt and decrypt data. As such, this private key has to be kept secret so that no unintended third parties could use it to decrypt their secret messages. When you encrypt and decrypt data using a single key, it’s known as symmetric encryption, symmetric cryptography, or private key cryptography.

Imagine you’ve just completed a home renovation, a project that included replacing all of your interior and exterior doors with door locks you bought at a local hardware store. As such, each door you install would have its own separate lock, requiring a separate key to open it. (This would be a bit closer to asymmetric encryption because each key would only fit its corresponding lock — but we’ll dive more into that in just a few moments.)

However, using a symmetric key is like re-keying all of your home’s door locks so that a single key can open them. This is great for convenience because you only need one key, but it also means you have to go to great lengths to keep that key safe. Otherwise, everything inside your home will be compromised if someone gets their hands on that key.

One of the tricky aspects of symmetric keys is that they require the two communicating parties to meet up in a secure way so they each have a copy of the key. (Think of those stereotypical clandestine spy meetups you see in movies or read in books.) This isn’t too bad if you’re in the same geographic area as the other party. But what if you need to share sensitive information now but don’t have the time to meet to exchange keys? Or, what happens when you’re trying to communicate securely with someone who’s located in another state, country, or side of the world? You’ll be plumb out of luck.

A basic illustration that demonstrates how symmetric encryption works using symmetric cryptographic keys
Image caption: A basic illustration that shows a single key is used to encrypt and decrypt data in symmetric encryption applications.

Within the last century, the rise of digital communications changed the landscape of communications. Now, you can be using a phone in the United States and communicate nearly instantaneously with someone regardless of their geographic location. You can enter your information in a web form and send it instantaneously across the internet to someone on the other side of the world.

However, there’s a drawback: If you’re sending that data in plaintext, it isn’t secure and can be intercepted by nosy or malicious third parties.

To avoid this security risk, you and the person you’re communicating with need a way to securely communicate using encryption. But this would require exchanging your symmetric key, right? Yes. And this is where public key cryptography comes into play…

Asymmetric Keys = Separate Keys to Encrypt & Decrypt Data (And Enable Authentication)

A graphic that shows how asymmetric keys work to encrypt (public key) and decrypt (private key) data.

In modern cryptography, another type of cryptographic key is an asymmetric key—a pair of two different but related keys. A public key is publicly known and doesn’t have to be kept secret. It’s linked to a private key, which is kept secret.  

Asymmetric cryptographic keys (asymmetric = not identical) are generated in mathematically related pairs containing one public key and one private key. In public key encryption:

  • The public key, which is available to virtually everyone, is used to encrypt the data.
  • The private key, which must be protected and kept secret, is used to decrypt the ciphertext.

A common analogy you’ll see online that’s used to describe the role of separate keys in asymmetric encryption is a mailbox where you have one key to deposit items (public key) and a separate key to remove them (private key).  

Using these two cryptographic keys enables two parties to create a secure, encrypted connection. Think of when you connect to a website. The server and client use asymmetric keys to securely exchange information that’s used to establish symmetric session keys. These symmetric keys, which require fewer resources to compute, make data exchanges faster at scale.

A basic illustration that demonstrates how asymmetric encryption works using unique (but mathematically related) cryptographic keys
Image caption: A basic illustration that shows two unique keys are used to encrypt and decrypt data in asymmetric encryption applications.

To learn more about how public-private key pairs work in various cryptographic uses, check out our other article that looks at the topic more in depth.

But why bother switching to symmetric encryption at all? Can’t you just use asymmetric keys the whole time? Technically, yes, you could use asymmetric encryption alone to communicate securely on open channels. However, the resources required to make this happen for popular websites would be too costly to do when dealing with thousands or millions of connections. This is why we use asymmetric keys to exchange symmetric key-encrypted sessions to promote scalability.

Check out this recent comparative cost analysis of asymmetric and symmetric applications by researchers at the Institute of Electrical and Electronic Engineers (IEEE). Spoiler alert: Their research shows a “58% saving in global energy costs of public key-based applications” through symmetric key system adoptions.

A Quick Comparison of Symmetric and Asymmetric Keys

 Symmetric KeysAsymmetric Keys
What It IsA single secret that must be protected and not shared.Two keys — one that’s shared publicly (public key) and one that’s kept secret (private key).  
What It DoesEncrypts and decrypts data for storage and/or in secure channels.Used for encryption, description, and authentication, usually over insecure channels like the internet.  
Key Sizes (Using AES and RSA Keys as Examples)AES key sizes are smaller in size (256 bits is the most common size). These keys are calculated in various ways with varying levels of entropy, such as by using a random number generator (RNG).  RSA key sizes are larger keys (1024 bits, 2048 bits, 3072 bits, 7680 bits, 15360 bits, etc.) that are calculated using massive prime numbers.  
Uses and ApplicationsEncrypt at-rest data on servers and internal digital storage applications.  Encrypt in-transit data in open (insecure) channels.
Processing SpeedsFaster to process than asymmetric encryption keys because symmetric keys are smaller.  Slower than symmetric encryption keys because they are larger.
Where You’ll Find ItStored on authorized devices and internal (non-public) serversAsymmetric public keys are integrated with digital certificates or sent with digitally signed and encrypted emails, documents, and software. The private keys are stored securely.

Cryptographic Keys Also Can Be Identified By Their Uses and Applications

Sometimes, cryptographic keys are referred to with regard to the roles they play in cryptographic processes. We won’t get into all of them because they vary depending on the type of cryptographic processes you’re performing, but here’s a quick overview of several examples:

  • Session keys — These keys are used to encrypt data during individual sessions (e.g., connections to a website or web app).
  • HMAC keys — These keys are used to create the digital signatures used in hash-based message authentication codes.
  • Data encryption keys (DEKs) — These keys enable you to encrypt data at rest on your server. DEKs also can be master keys.
  • Key encryption keys (KEKs) — These keys, also called key wrapping keys, are used to encrypt other cryptographic keys that perform at-rest and in-transit data encryption. This means they can be symmetric or asymmetric, depending on the task.
  • Traffic encryption keys (TEKs) — These cryptographic keys are used to encrypt data in transit against man-in-the-middle attacks and other interception methods. 
  • Master keys— The meaning of a “master key” differs depending on its usage. It’s also called a key-derivation key because it’s used in part to calculate other keys using key-derivation methods.

Large Keys Are More Secure (But Less Scalable) Than Smaller Ones

Generally speaking, the bigger the key, the more secure it is. For example, a 256-bit AES symmetric key is stronger than a 128-bit symmetric key, and a 3078-bit RSA asymmetric key is more secure than a 2048-bit asymmetric key. Larger keys help thwart brute force attackers who try to guess your key because it would be virtually impossible to guess all possible combinations using modern computer resources.

Let’s quickly compare public and private keys. We’ve used the RSA key generator tool from to generate a 2048-bit RSA key pair for this example.

Public key:


Private key:


Big difference.

If you compare a symmetric key with an asymmetric key, then you might be surprised to learn that key sizes aren’t equal in terms of their security strength. For example, a 256-bit AES symmetric key is more secure than a 3072-bit RSA asymmetric key. In its “Recommendation for Key Management: Part 1,” the National Institute of Standards and Technology (NIST) lists an AES 256-bit key as being roughly equivalent to a 15360-bit RSA key. Furthermore, since asymmetric encryption requires the use of two keys, it’s slower than symmetric encryption, which only requires one.

Encryption Is Only Secure If Your Keys Are Secure

The security offered by your cryptographic secrets depends on how well you manage and secure them. A lost or stolen key doesn’t do you any good because it’s at risk of compromise. Once a key is compromised, the security of anything it’s been used to secure is at risk. That’s bad news for you and great news for cybercriminals.

You can protect your cryptographic keys using a key management system and by following key management best practices. We’ll speak a little more about that later. But first, let’s look at what cryptographic keys do; then, we’ll explore a few of the most common ways they may be used within your organization.  

A Look at What Cryptographic Keys Do

Cryptographic keys are critical elements of public key infrastructure and play important roles in several crucial cryptographic functions:

  1. Encryption and decryption — We’ve already talked about this, but to recap, encryption is a method of scrambling plaintext data into ciphertext. Depending on the type of encryption used (asymmetric vs symmetric encryption), a cryptographic key is used to encrypt, decrypt, or encrypt and decrypt data.
  2. Authentication — This verifies that an entity (i.e., a person, client, or device) is who they say they are using public key cryptography. Basically, it’s a way to ensure that someone is authentic and isn’t an imposter because only the authorized user should have access to the private key. (This differs from symmetric keys, which both parties share.)
  3. Digital Signatures — A digital signature is a value that proves something (e.g., software, code, documents, or emails) hasn’t been modified or tampered with since it was digitally signed. A cryptographic function (hashing) and a cryptographic key are applied to the data to generate the signature. As such, it also helps provide non-repudiation, meaning that someone who sends something to you later can’t deny sending it. It’s akin to signing a document with a notary present: you can’t later refute signing it because they witnessed you doing so.
A three-part screenshot graphic that shows the message security properties of an email that is signed using an  email signing certificate.
Image caption: A screenshot of the certificate information for an encrypted email.

5 Examples of Cryptographic Key Applications Within an Organization

Not sure if you’re currently using any cryptographic keys within your IT environment? Here are several examples of how your organization or others are likely already using them:

1. Protect In-Transit Data Against Interception Attacks

By enabling HTTPS on your website, you’re securing your data in transit by using transport layer security. You can do this by installing an SSL/TLS certificate on your web server. Using an SSL/TLS certificate on your website ensures that your site users’ data will transmit via secure, encrypted connections.

These connections protect the data in transit. This stops man-in-the-middle attackers who want to intercept, read, modify, or steal your customers’ sensitive data as it transmits between their clients and your server.   

A basic illustration showing how using a secure, encrypted connections helps to protect against a man-in-the-middle (MitM) attack using public-private cryptographic key pairs
Image caption: A basic illustration that shows how using a secure, encrypted connection that’s created using cryptographic keys and algorithms prevents unauthorized users from accessing your sensitive information in traffic.

For added security, enable the support of TLS 1.2 as a minimum on your server. Furthermore, you can use HTTP strict transport security (HSTS) as another layer of security to prevent downgrade attacks (i.e., prevent cybercriminals from forcing a website to downgrade from HTTPS to HTTP).

2. Secure At-Rest Data on Your Hard Drives and Servers

Encryption isn’t just for securing data in transit (i.e., public key encryption uses). Rather, encryption is also commonly used to secure at-rest data as well. This includes virtually any type of data stored digitally on a computer system. For example, this includes computers, database servers, cloud storage, and messages on your email server.

To encrypt data at rest, you’ll often use a symmetric cryptographic key because it’s fast and requires fewer resources than a pair of asymmetric keys.

But data encryption and decryption aren’t the only tricks up a cryptographic key’s sleeve (so to speak). These digital secrets also have other uses…

3. Authenticate Clients, Users, and Devices on Secure and Open Networks

Digital identity authentication in digital communications is crucial to data security. It’s what validates that you’re really you because a trusted authority has vetted your digital identity.

But what if you want to verify whether a user who is trying to access your protected resources is legitimate? Traditionally, this would involve the user entering their username and password. However, login credentials are easily compromised through phishing scams and malware, it means that it’s no longer a viable way to know that someone is authentic.

An alternative is to use digital certificates to verify your digital identity via public key cryptography:

  • A client authentication certificate verifies your identity when accessing a secure web app, virtual private network (VPN), or other protected resources. This can be a certificate you install on your computer or mobile device.
  • A device certificate (also known as a PKI device certificate) enables a covered autonomous device to authenticate to your network and transmit data securely. For example, this type of certificate is often used to authenticate IoT devices in healthcare facilities, airports, and manufacturing plants.

In each of these cases, the cryptographic key associated with the certificate proves your digital identity because only you should have access to it. As such, once authenticated, you can access resources you’re authorized to see and use.

4. Exchange Digitally Signed and/or Encrypted Emails

Email security is another important area where organizations rely on cryptographic keys. When you digitally sign an email, you apply a hash function to the email contents and your private key to the resulting hash value.

When an email is digitally signed, the recipient knows:

  • the email is authentic because it came from you (i.e., your public key decrypts the hash value)
  • the hash value the recipient’s email client calculates matches the one you sent.  
A screenshot that shows how a digitally signed email looks
Image caption: A screenshot of a digitally signed email as an example. When you click on the ribbon icon, additional information will display that verifies the sender’s identity and when the message was digitally signed.

Now, let’s say you want to add another layer of security when sending sensitive or confidential data. You can do this using email encryption. Both the email signing and encryption processes involve the use of S/MIME certificates (i.e., email signing certificates). So, as long as you and your email recipient use email signing certificates and you’ve exchanged public keys, then y’all can exchange secure, encrypted emails. This is particularly important for compliance when sending protected customer, financial, or patient health-related data.  

An example of an email that was encrypted using an email signing certificate and a public-private cryptographic key pair
Image caption: A screenshot of how an encrypted email looks in Outlook.

5. Digitally Sign Code, Software, and Updates Before Release

Digitally signing your software enables you to show customers and software users that your product is not only authentic but hasn’t been tampered with since it was signed. This is important for software developers, publishers, and service providers that maintain customers’ systems.

You can use a code signing certificate to attach a digital signature to your code. This involves applying a cryptographic hash function to your code and using your private cryptographic key to digitally sign the resulting hash value. When someone downloads your software, their browser or operating system will check to see if the hash value matches. When it does, it’ll display your verified organization information.

A set of screenshots that show how Windows User Account Control (UAC) pop-ups display unsigned and signed software information.
Image caption: A side-by-side comparison of two User Access Control (UAC) screens that shows info about an unknown publisher (left) and a verified publisher (right).

If you decide to take your identity a step further, you can use an extended validation code signing certificate. Signing your software with that digital certificate ensures your software is automatically trusted by Windows operating systems and the Edge browser. As a result, it won’t display Windows Defender SmartScreen warnings like this:

A Windows Defender SmartScreen warning message displays that the software comes from an Unknown Publisher (and can't be trusted)
Image caption: A screenshot of the Windows Defender SmartScreen warning message that displays when a user tries to install unsigned software on a Windows computer.

Let’s Wrap Things Up With a Few Final Takeaways

Hopefully, we’ve driven home the point that cryptographic keys are crucial to the security of digital assets and data. But much like other precious things in life, they must be protected through all means possible.  

Want Your Keys to Work? Store Them Securely

Storing your cryptographic keys securely isn’t optional; it’s actually a requirement of many industry and regional regulations. And unless you like the idea of forking over thousands or millions of dollars in noncompliance penalties, legal fees, and lawsuit settlements due to data breaches, then we suggest you pay attention.

Historically, only extended validation (EV) code signing certificates came pre-installed on a hardware security token. Now, all organization validation (OV) code signing certificates will also be delivered via secure tokens by default.

You also can use hardware security modules (HSMs) to protect your other cryptographic secrets. These on-prem appliances and cloud-based storage mechanisms provide a way for your authorized users to use your cryptographic keys without having direct access.

Familiarize Yourself With Key Management Best Practices

We’re not going to dive into the specifics of key management best practices here because we’ve already done that in previous articles. To learn more, check out our key and certificate management, check out the following resources:


Casey Crane

Casey Crane is a regular contributor to and managing editor of Hashed Out. She has more than 15 years of experience in journalism and writing, including crime analysis and IT security. Casey also serves as the Content Manager at The SSL Store.